<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<!-- Mirrored from www.wolfssl.com/wolfSSL/Docs-wolfssl-manual-7-keys-and-certificates.html by HTTrack Website Copier/3.x [XR&CO'2014], Tue, 17 Jan 2017 13:30:31 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8" /><!-- /Added by HTTrack -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="Generator" content="iWeb 3.0.4"/>
<meta name="iWeb-Build" content="local-build-20170103"/>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/>
<meta name="viewport" content="width=770"/>
<title>wolfSSL - Docs | wolfSSL Manual - Chapter 7 (Keys and Certificates)</title>
<link rel="stylesheet" type="text/css" media="screen,print" href="Docs-wolfssl-manual-7-keys-and-certificates_files/Docs-wolfssl-manual-7-keys-and-certificates.css"/>
<!--[if lt IE 8]><link rel='stylesheet' type='text/css' media='screen,print' href='Docs-wolfssl-manual-7-keys-and-certificates_files/Docs-wolfssl-manual-7-keys-and-certificatesIE.css'/><![endif]-->
<!--[if gte IE 8]><link rel='stylesheet' type='text/css' media='screen,print' href='Media/IE8.css'/><![endif]-->
<script type="text/javascript" src="Scripts/iWebSite.js"></script>
<script type="text/javascript" src="Docs-wolfssl-manual-7-keys-and-certificates_files/Docs-wolfssl-manual-7-keys-and-certificates.js"></script>
<meta name="description" content="X.509 concepts and usage in the wolfSSL embedded SSL library, including keys and certificates."/><meta name="keywords" content="embedded ssl, ssl library, embedded web server, openssl alternative, openssl replacement, cyassl, stream ciphers ssl, aes-ni ssl, dtls, mysql ssl, portable ssl, small openssl, smart grid, connected home, ecc, lightweight ssl, suite b, encryption security software, ssl inspection"/><meta name="robots" content="follow,index"/> <script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','../../www.google-analytics.com/analytics.js','ga');ga('create','UA-64826966-1','auto');ga('send','pageview');</script>
 
<script>//<![CDATA[
window.zEmbed||function(e,t){var n,o,d,i,s,a=[],r=document.createElement("iframe");window.zEmbed=function(){a.push(arguments)},window.zE=window.zE||window.zEmbed,r.src="javascript:false",r.title="",r.role="presentation",(r.frameElement||r).style.cssText="display: none",d=document.getElementsByTagName("script"),d=d[d.length-1],d.parentNode.insertBefore(r,d),i=r.contentWindow,s=i.document;try{o=s}catch(c){n=document.domain,r.src='javascript:var d=document.open();d.domain="'+n+'";void(0);',o=s}o.open()._l=function(){var o=this.createElement("script");n&&(this.domain=n),o.id="js-iframe-async",o.src=e,this.t=+new Date,this.zendeskHost=t,this.zEQueue=a,this.body.appendChild(o)},o.write('<body onload="document._l();">'),o.close()}("../../assets.zendesk.com/embeddable_framework/main.js","wolfssl.zendesk.com");
//]]></script>
  </head>
<body style="background: rgb(255, 255, 255); margin: 0pt; " onload="onPageLoad();">
<div style="text-align: center; ">
<div style="margin-bottom: 20px; margin-left: auto; margin-right: auto; margin-top: 20px; overflow: hidden; position: relative; word-wrap: break-word;  background: rgb(255, 255, 255); text-align: left; width: 770px; " id="body_content">
<div style="float: left; margin-left: 0px; position: relative; width: 770px; z-index: 0; " id="nav_layer">
<div style="height: 0px; line-height: 0px; " class="bumper"> </div>
<div style="clear: both; height: 0px; line-height: 0px; " class="spacer"> </div>
</div>
<div style="float: left; height: 0px; line-height: 0px; margin-left: 0px; position: relative; width: 770px; z-index: 10; " id="header_layer">
<div style="height: 0px; line-height: 0px; " class="bumper"> </div>
</div>
<div style="margin-left: 0px; position: relative; width: 770px; z-index: 5; " id="body_layer">
<div style="height: 0px; line-height: 0px; " class="bumper"> </div>
<div id="id1" style="height: 38px; left: 375px; position: absolute; top: 157px; width: 361px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_361_38" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style">wolfSSL Manual</p>
</div>
</div>
</div>
<div id="id2" style="height: 5603px; left: 35px; position: absolute; top: 281px; width: 701px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_701_5603" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-top: 0pt; " class="paragraph_style_1">Chapter 7: Keys and Certificates<span class="style"><br/></span></p>
<p class="paragraph_style_2"><br/></p>
<p class="paragraph_style_3">For a introduction to X.509 certificates, as well as how they are used in SSL and TLS, please see <a title="Docs-wolfssl-manual-A-ssl-tls-overview.html" href="Docs-wolfssl-manual-A-ssl-tls-overview.html">Appendix A</a>.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.1 Supported Formats and Sizes<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">wolfSSL (formerly CyaSSL) has support for <span class="style_1">PEM</span>, and <span class="style_1">DER</span> formats for certificates and keys, as well as PKCS#8 private keys (with PKCS#5 or PKCS#12 encryption).<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><span class="style_1">PEM</span>, or “Privacy Enhanced Mail” is the most common format that certificates are issued in by certificate authorities.  PEM files are Base64 encoded ASCII files which can include multiple server certificates, intermediate certificates, and private keys, and usually have a .<span class="style_1">pem</span>, .<span class="style_1">crt</span>, .<span class="style_1">cer</span>, or .<span class="style_1">key</span> file extension. Certificates inside PEM files are wrapped in the “<span class="style_2">-----BEGIN CERTIFICATE-----</span>” and “<span class="style_2">-----END CERTIFICATE-----</span>” statements.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><span class="style_1">DER</span>, or “Distinguished Encoding Rules”, is a binary format of a certificate. DER file extensions can include .<span class="style_1">der</span> and .<span class="style_1">cer</span>, and cannot be viewed with a text editor.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.2 Certificate Loading<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Certificates are normally loaded using the file system (although loading from memory buffers is supported as well - see section 7.5).<br/></p>
<p class="paragraph_style_5"><br/></p>
<p class="paragraph_style_5"><br/></p>
<p class="paragraph_style_5">7.2.1 Loading CA (Certificate Authority) Certificates<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">CA certificate files can be loaded using the wolfSSL_CTX_load_verify_locations() function:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX *<span class="style_1">ctx</span>, <br/></p>
<p class="paragraph_style_6">                                      const char *<span class="style_1">CAfile</span>, <br/></p>
<p class="paragraph_style_6">                                      const char *<span class="style_1">CApath</span>);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">CA loading can also parse multiple CA certificates per file using the above function by passing in a <span class="style_1">CAfile</span> in PEM format with as many certs as possible. This makes initialization easier, and is useful when a client needs to load several root CAs at startup.  This makes wolfSSL easier to port into tools that expect to be able to use a single file for CAs.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_5">7.2.2 Loading Client or Server Certificates<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Loading single client or server certificates can be done with the wolfSSL_CTX_use_certificate_file() function.  If this function is used with a certificate chain, only the actual, or “bottom” certificate will be sent.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX *<span class="style_1">ctx</span>, <br/></p>
<p class="paragraph_style_6">                                     const char *<span class="style_1">CAfile</span>, <br/></p>
<p class="paragraph_style_6">                                     int <span class="style_1">type</span>);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><span class="style_1">CAfile</span> is the CA certificate file, and <span class="style_1">type</span> is the format of the certificate - such as SSL_FILETYPE_PEM.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The server and client can send certificate chains using the wolfSSL_CTX_use_certificate_chain_file() function.  The certificate chain file must be in <span class="style_1">PEM</span> format and must be sorted starting with the subject's certificate (the actual client or server cert), followed by any intermediate certificates and ending (optionally) at the root &quot;top&quot; CA.  The example server (/examples/server/server.c) uses this functionality.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX *<span class="style_1">ctx</span>,<br/></p>
<p class="paragraph_style_6">                                           const char *<span class="style_1">file</span>);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_5">7.2.3 Loading Private Keys<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Server private keys can be loaded using the <span class="style_1">wolfSSL_CTX_use_PrivateKey_file</span>() function.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX *<span class="style_1">ctx</span>, <br/></p>
<p class="paragraph_style_6">                                    const char *<span class="style_1">keyFile</span>, <br/></p>
<p class="paragraph_style_6">                                    int <span class="style_1">type</span>);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><span class="style_1">keyFile</span> is the private key file, and type is the format of the private key (i.e. SSL_FILETYPE_PEM).<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_5">7.2.4 Loading Trusted Peer Certificates<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Loading a trusted peer certificate to use can be done with wolfSSL_CTX_trust_peer_cert().<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX *<span class="style_1">ctx</span>, <br/></p>
<p class="paragraph_style_6">                                const char *<span class="style_1">trustCert</span>, int <span class="style_1">type</span>);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><span class="style_1">trustCert</span> is the certificate file to load, and <span class="style_1">type</span> is the format of the private key (i.e. SSL_FILETYPE_PEM).<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.3 Certificate Chain Verification<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">wolfSSL requires that only the top or “root” certificate in a chain to be loaded as a trusted certificate in order to verify a certificate chain. This means that if you have a certificate chain (A -&gt; B -&gt; C), where C is signed by B, and B is signed by A, wolfSSL only requires that certificate A be loaded as a trusted certificate in order to verify the entire chain (A-&gt;B-&gt;C).<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">For example, if a server certificate chain looks like:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">A<br/></p>
<p class="paragraph_style_3"> | ---- &gt; B<br/></p>
<p class="paragraph_style_3">              | ---- &gt; C<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The wolfSSL client should already have at least the root cert (A) loaded as a trusted root.  When the client receives the server cert chain, it uses the signature of A to verify B, and if B has not been previously loaded into wolfSSL as a trusted root, B gets stored in wolfSSL's internal cert chain (wolfSSL just stores what is necessary to verify a certificate: common name hash, public key and key type, etc.).  If B is valid, then it is used to verify C.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Following this model, as long as root cert &quot;A&quot; has been loaded as a trusted root into the wolfSSL server, the server certificate chain will still be able to be verified if the server sends (A-&gt;B-&gt;C), or (B-&gt;C).  If the server just sends (C), and not the intermediate certificate, the chain will not be able to be verified unless the wolfSSL client has already loaded B as a trusted root.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.4 Domain Name Check for Server Certificates<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">wolfSSL has an extension on the client that automatically checks the domain of the server certificate. In OpenSSL mode nearly a dozen function calls are needed to perform this. wolfSSL checks that the date of the certificate is in range, verifies the signature, and additionally verifies the domain if you call:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">before calling wolfSSL_connect(). wolfSSL will match the X509 issuer name of peer's server certificate against dn (the expected domain name). If the names match wolfSSL_connect() will proceed normally, however if there is a name mismatch, wolfSSL_connect() will return a fatal error and wolfSSL_get_error() will return <span class="style_1">DOMAIN_NAME_MISMATCH</span>.<br/></p>
<p class="paragraph_style_3"> <br/></p>
<p class="paragraph_style_3">Checking the domain name of the certificate is an important step that verifies the server is actually who it claims to be. This extension is intended to ease the burden of performing the check.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.5 No File System and using Certificates<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Normally a file system is used to load private keys, certificates, and CAs. Since wolfSSL is sometimes used in environments without a full file system an extension to use memory buffers instead is provided. To use the extension define the constant <span class="style_1">NO_FILESYSTEM</span> and the following functions will be made available:<br/></p>
<p class="paragraph_style_3"> <br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX*, const unsigned<br/></p>
<p class="paragraph_style_6">                                   char*,long, int)<br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX*, const unsigned <br/></p>
<p class="paragraph_style_6">                                       char*, long, int)<br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX*, const unsigned <br/></p>
<p class="paragraph_style_6">                                      char*, long, int)<br/></p>
<p class="paragraph_style_6">int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX*,<br/></p>
<p class="paragraph_style_6">                                             const unsigned char*,long)<br/>int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX*, const unsigned char*,<br/></p>
<p class="paragraph_style_6">                                  long, int)<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Use these functions exactly like their counterparts that are named file instead of buffer.  And instead of providing a filename provide a memory buffer.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_7">7.5.1 Test Certificate and Key Buffers<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">wolfSSL has come bundled with test certificate and key files in the past.  Now it also comes bundled with test certificate and key buffers for use in environments with no filesystem available.  These buffers are available in certs_test.h when defining one or more of <span class="style_1">USE_CERT_BUFFERS_1024</span>, <span class="style_1">USE_CERT_BUFFERS_2048</span>, or <span class="style_1">USE_CERT_BUFFERS_256</span>.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.6 Serial Number Retrieval<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The serial number of an X.509 certificate can be extracted from wolfSSL using the following function.  The serial number can be of any length.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">int wolfSSL_X509_get_serial_number(WOLFSSL_X509* x509, <br/></p>
<p class="paragraph_style_6">                                   unsigned char* buffer, int* inOutSz);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><span class="style_1">buffer</span> will be written to with at most *<span class="style_1">inOutSz</span> bytes on input. After the call, if successful (return of 0), *<span class="style_1">inOutSz</span> will hold the actual number of bytes written to <span class="style_1">buffer</span>. A full example is included wolfssl/test.h.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.7 RSA Key Generation<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">wolfSSL supports RSA key generation of varying lengths up to 4096 bits. Key generation is off by default but can be turned on during the ./configure process with:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">--enable-keygen<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">or by defining <span class="style_1">WOLFSSL_KEY_GEN</span> in Windows or non-standard environments. Creating a key is easy, only requiring one function from rsa.h:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">int MakeRsaKey(RsaKey* key, int size, long e, RNG* rng);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Where size is the length in bits and e is the public exponent, using 65537 is usually a good choice for e. The following from wolfcrypt/test/test.c gives an example creating an RSA key of 1024 bits:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">RsaKey genKey;<br/></p>
<p class="paragraph_style_6">RNG    rng;<br/></p>
<p class="paragraph_style_6">int    ret;<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">InitRng(&amp;rng);<br/></p>
<p class="paragraph_style_6">InitRsaKey(&amp;genKey, 0);<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">ret = MakeRsaKey(&amp;genKey, 1024, 65537, &amp;rng);<br/></p>
<p class="paragraph_style_6">if (ret != 0)<br/></p>
<p class="paragraph_style_6">    /* ret contains error */;<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The RsaKey genKey can now be used like any other RsaKey. If you need to export the key, wolfSSL provides both DER and PEM formatting in asn.h. Always convert the key to DER format first, and then if you need PEM use the generic DerToPem() function like this:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">byte der[4096];<br/></p>
<p class="paragraph_style_6">int  derSz = RsaKeyToDer(&amp;genKey, der, sizeof(der));<br/></p>
<p class="paragraph_style_6">if (derSz &lt; 0)<br/></p>
<p class="paragraph_style_6">    /* derSz contains error */;<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_3">The buffer der now holds a DER format of the key. To convert the DER buffer to PEM use the conversion function:<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">byte pem[4096];<br/></p>
<p class="paragraph_style_6">int  pemSz = DerToPem(der, derSz, pem, sizeof(pem),<br/></p>
<p class="paragraph_style_6">                      PRIVATEKEY_TYPE);<br/></p>
<p class="paragraph_style_6">if (pemSz &lt; 0)<br/></p>
<p class="paragraph_style_6">    /* pemSz contains error */;<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The last argument of DerToPem() takes a type parameter, usually either <span class="style_1">PRIVATEKEY_TYPE</span> or <span class="style_1">CERT_TYPE</span>. Now the buffer pem holds the PEM format of the key.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_8"><span class="style_3">7.7.1 RSA Key Generation Notes</span><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Although an RSA private key contains the public key as well, wolfSSL doesn’t currently have the capability to generate a standalone RSA public key.  The private key can be used as both a private and public key by wolfSSL as used in test.c.  <br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The reasoning behind the lack of individual RSA public key generation in wolfSSL is that the private key and the public key (in the form of a certificate) is all that is typically needed for SSL.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">A separate public key can be loaded into wolfSSL manually using the RsaPublicKeyDecode() function if need be.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_4">7.8 Certificate Generation<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">wolfSSL supports X.509 v3 certificate generation. Certificate generation is off by default but can be turned on during the ./configure process with:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">--enable-certgen<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">or by defining <span class="style_1">WOLFSSL_CERT_GEN</span> in Windows or non-standard environments.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Before a certificate can be generated the user needs to provide information about the subject of the certificate. This information is contained in a structure from wolfssl/wolfcrypt/asn_public.h named Cert:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">/* for user to fill for certificate generation */<br/></p>
<p class="paragraph_style_6">typedef struct Cert {<br/></p>
<p class="paragraph_style_6">    int      version;                   /* x509 version  */<br/></p>
<p class="paragraph_style_6">    byte     serial[CTC_SERIAL_SIZE];   /* serial number */<br/></p>
<p class="paragraph_style_6">    int      sigType;                   /* signature algo type */<br/></p>
<p class="paragraph_style_6">    CertName issuer;                    /* issuer info */<br/></p>
<p class="paragraph_style_6">    int      daysValid;                 /* validity days */<br/></p>
<p class="paragraph_style_6">    int      selfSigned;                /* self signed flag */<br/></p>
<p class="paragraph_style_6">    CertName subject;                   /* subject info */<br/></p>
<p class="paragraph_style_6">    int      isCA;                      /* is this going to be a CA */<br/></p>
<p class="paragraph_style_6">    ...<br/></p>
<p class="paragraph_style_6">} Cert;<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Where CertName looks like:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">typedef struct CertName {<br/></p>
<p class="paragraph_style_6">char country[CTC_NAME_SIZE];<br/></p>
<p class="paragraph_style_6">char countryEnc;<br/></p>
<p class="paragraph_style_6">char state[CTC_NAME_SIZE];<br/></p>
<p class="paragraph_style_6">char stateEnc;<br/></p>
<p class="paragraph_style_6">char locality[CTC_NAME_SIZE];<br/></p>
<p class="paragraph_style_6">char localityEnc;<br/></p>
<p class="paragraph_style_6">char sur[CTC_NAME_SIZE];<br/></p>
<p class="paragraph_style_6">char surEnc;<br/></p>
<p class="paragraph_style_6">char org[CTC_NAME_SIZE];<br/></p>
<p class="paragraph_style_6">char orgEnc;<br/></p>
<p class="paragraph_style_6">char unit[CTC_NAME_SIZE];<br/></p>
<p class="paragraph_style_6">char unitEnc;<br/></p>
<p class="paragraph_style_6">char commonName[CTC_NAME_SIZE];<br/></p>
<p class="paragraph_style_6">char commonNameEnc;<br/></p>
<p class="paragraph_style_6">char email[CTC_NAME_SIZE];  /* !!!! email has to be last !!!! */<br/></p>
<p class="paragraph_style_6">} CertName;<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Before filling in the subject information an initialization function needs to be called like this:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">Cert myCert;<br/></p>
<p class="paragraph_style_6">InitCert(&amp;myCert);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">InitCert() sets defaults for some of the variables including setting the version to <span class="style_1">3</span> (0x02), the serial number to <span class="style_1">0</span> (randPomly generated), the sigType to <span class="style_1">CTC_SHAwRSA</span>, the daysValid to <span class="style_1">500</span>, and selfSigned to <span class="style_1">1</span> (TRUE). Supported signature types include:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">CTC_SHAwDSA<br/></p>
<p class="paragraph_style_6">CTC_MD2wRSA<br/></p>
<p class="paragraph_style_6">CTC_MD5wRSA<br/></p>
<p class="paragraph_style_6">CTC_SHAwRSA<br/></p>
<p class="paragraph_style_6">CTC_SHAwECDSA<br/></p>
<p class="paragraph_style_6">CTC_SHA256wRSA<br/></p>
<p class="paragraph_style_6">CTC_SHA256wECDSA<br/></p>
<p class="paragraph_style_6">CTC_SHA384wRSA<br/></p>
<p class="paragraph_style_6">CTC_SHA384wECDSA<br/></p>
<p class="paragraph_style_6">CTC_SHA512wRSA<br/></p>
<p class="paragraph_style_6">CTC_SHA512wECDSA<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Now the user can initialize the subject information like this example from wolfcrypt/test/test.c:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">strncpy(myCert.subject.country, &quot;US&quot;, CTC_NAME_SIZE);<br/></p>
<p class="paragraph_style_6">strncpy(myCert.subject.state, &quot;OR&quot;, CTC_NAME_SIZE);<br/></p>
<p class="paragraph_style_6">strncpy(myCert.subject.locality, &quot;Portland&quot;, CTC_NAME_SIZE);<br/></p>
<p class="paragraph_style_6">strncpy(myCert.subject.org, &quot;yaSSL&quot;, CTC_NAME_SIZE);<br/></p>
<p class="paragraph_style_6">strncpy(myCert.subject.unit, &quot;Development&quot;, CTC_NAME_SIZE);<br/></p>
<p class="paragraph_style_6">strncpy(myCert.subject.commonName, &quot;<a title="http://www.wolfssl.com" href="http://www.wolfssl.com/">www.wolfssl.com</a>&quot;, CTC_NAME_SIZE);<br/></p>
<p class="paragraph_style_6">strncpy(myCert.subject.email, &quot;<a title="mailto:info@wolfssl.com" href="https://www.wolfssl.com/cdn-cgi/l/email-protection#432a2d252c03342c2f2530302f6d202c2e"><span class="__cf_email__" data-cfemail="2d44434b426d5a42414b5e5e41034e4240">[email&#160;protected]</span><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script></a>&quot;, CTC_NAME_SIZE);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Then, a self-signed certificate can be generated using the variables genKey and rng from the above key generation example (of course any valid RsaKey or RNG can be used):<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">byte derCert[4096];<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">int certSz = MakeSelfCert(&amp;myCert, derCert, sizeof(derCert), &amp;key, &amp;rng);<br/></p>
<p class="paragraph_style_6">if (certSz &lt; 0)<br/></p>
<p class="paragraph_style_6">  /* certSz contains the error */;<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The buffer derCert now contains a DER format of the certificate. If you need a PEM format of the certificate you can use the generic DerToPem() function and specify the type to be <span class="style_1">CERT_TYPE</span> like this:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">byte* pem;<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">int pemSz = DerToPem(derCert, certSz, pem, sizeof(pemCert), CERT_TYPE);<br/></p>
<p class="paragraph_style_6">if (pemCertSz &lt; 0)<br/></p>
<p class="paragraph_style_6">  /* pemCertSz contains error */;<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Now the buffer pemCert holds the PEM format of the certificate.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">If you wish to create a CA signed certificate then a couple of steps are required. After filling in the subject information as before, you’ll need to set the issuer information from the CA certificate.  This can be done with SetIssuer() like this:<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">ret = SetIssuer(&amp;myCert, “ca-cert.pem”);<br/></p>
<p class="paragraph_style_6">if (ret &lt; 0)<br/></p>
<p class="paragraph_style_6">/* ret contains error */;<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Then you’ll need to perform the two-step process of creating the certificate and then signing it (MakeSelfCert() does these both in one step). You’ll need the private keys from both the issuer (<span class="style_1">caKey</span>) and the subject (<span class="style_1">key</span>). Please see the example in test.c for complete usage.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">byte derCert[4096];<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">int certSz = MakeCert(&amp;myCert, derCert, sizeof(derCert), &amp;key, NULL, <br/></p>
<p class="paragraph_style_6">&amp;rng);<br/></p>
<p class="paragraph_style_6">if (certSz &lt; 0);<br/></p>
<p class="paragraph_style_6">   /* certSz contains the error */;<br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">certSz = SignCert(myCert.bodySz, myCert.sigType, derCert, <br/></p>
<p class="paragraph_style_6">sizeof(derCert), &amp;caKey, NULL, &amp;rng);<br/></p>
<p class="paragraph_style_6">if (certSz &lt; 0);<br/></p>
<p class="paragraph_style_6">   /* certSz contains the error */;      <br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">The buffer derCert now contains a DER format of the CA signed certificate.  If you need a PEM format of the certificate please see the self signed example above.  Note that MakeCert() and SignCert() provide function parameters for either an RSA or ECC key to be used.  The above example uses an RSA key and passes NULL for the ECC key parameter.<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_7">7.9 Convert to raw ECC key<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">With our recently added support for raw ECC key import comes the ability to convert an ECC key from PEM to DER. Use the following with the specified arguments to accomplish this: <br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">EccKeyToDer(ecc_key*, byte* output, word32 inLen);<br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_3">Example: <br/></p>
<p class="paragraph_style_3"><br/></p>
<p class="paragraph_style_6">    #define FOURK_BUF 4096 <br/></p>
<p class="paragraph_style_6">    byte  der[FOURK_BUF];<br/></p>
<p class="paragraph_style_6">    ecc_key userB; <br/></p>
<p class="paragraph_style_6"><br/></p>
<p class="paragraph_style_6">    EccKeyToDer(&amp;userB, der, FOURK_BUF);<br/></p>
</div>
</div>
</div>
<div id="id3" style="height: 24px; left: 193px; position: absolute; top: 122px; width: 268px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_268_24" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_9"><a class="class1" title="Docs.html" href="Docs.html">Docs</a> <span class="style_4">-&gt;</span> <span class="style_5">wolfSSL Manual</span></p>
</div>
</div>
</div>
<div style="height: 1px; width: 698px;  height: 1px; left: 37px; position: absolute; top: 220px; width: 698px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 698px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_1.jpg" alt="" style="height: 1px; left: 0px; position: absolute; top: 0px; width: 698px; "/>
</div>
</div>
<div style="height: 37px; width: 545px;  height: 37px; left: 191px; position: absolute; top: 80px; width: 545px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 545px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_2.png" alt="" style="height: 37px; left: 0px; position: absolute; top: 0px; width: 545px; "/>
</div>
</div>
<div id="id4" style="height: 25px; left: 200px; position: absolute; top: 84px; width: 43px; z-index: 1; " class="style_SkipStroke_1 shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_43_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_10"><a class="class2" title="Home.html" href="Home.html">Home</a></p>
</div>
</div>
</div>
<div id="id5" style="height: 25px; left: 365px; position: absolute; top: 84px; width: 72px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_72_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_11"><a class="class3" title="https://wolfssl.com/wolfSSL/download/downloadForm.php" href="https://wolfssl.com/wolfSSL/download/downloadForm.php">Download</a></p>
</div>
</div>
</div>
<div id="id6" style="height: 25px; left: 439px; position: absolute; top: 84px; width: 59px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_59_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_11"><a class="class4" title="License.html" href="License.html">License</a></p>
</div>
</div>
</div>
<div id="id7" style="height: 25px; left: 499px; position: absolute; top: 84px; width: 44px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_44_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_11"><a class="class5" title="Blog/Blog.html" href="Blog/Blog.html">Blog</a></p>
</div>
</div>
</div>
<div id="id8" style="height: 25px; left: 589px; position: absolute; top: 84px; width: 80px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_80_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_11"><a class="class6" title="Community.html" href="Community.html">Community</a></p>
</div>
</div>
</div>
<div style="height: 36px; width: 1px;  height: 36px; left: 245px; position: absolute; top: 81px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_3.png" alt="" style="height: 36px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div style="height: 37px; width: 1px;  height: 37px; left: 296px; position: absolute; top: 80px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_4.png" alt="" style="height: 37px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div style="height: 36px; width: 1px;  height: 36px; left: 363px; position: absolute; top: 81px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_5.png" alt="" style="height: 36px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div style="height: 36px; width: 1px;  height: 36px; left: 438px; position: absolute; top: 81px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_6.png" alt="" style="height: 36px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div style="height: 37px; width: 1px;  height: 37px; left: 498px; position: absolute; top: 80px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_7.png" alt="" style="height: 37px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div style="height: 37px; width: 1px;  height: 37px; left: 589px; position: absolute; top: 80px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_8.png" alt="" style="height: 37px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div id="id9" style="height: 25px; left: 671px; position: absolute; top: 84px; width: 61px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_61_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_11"><a class="class7" title="Contact.html" href="Contact.html">Contact</a></p>
</div>
</div>
</div>
<div id="id10" style="height: 25px; left: 249px; position: absolute; top: 84px; width: 44px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_44_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_10"><a class="class8" title="About.html" href="About.html">About</a></p>
</div>
</div>
</div>
<div style="height: 36px; width: 1px;  height: 36px; left: 670px; position: absolute; top: 81px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_9.png" alt="" style="height: 36px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div id="id11" style="height: 25px; left: 298px; position: absolute; top: 84px; width: 63px; z-index: 1; " class="style_SkipStroke_1 shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_63_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_11"><a class="class9" title="Products.html" href="Products.html">Products</a></p>
</div>
</div>
</div>
<div id="id12" style="height: 25px; left: 549px; position: absolute; top: 84px; width: 41px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_41_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_10"><a class="class10" title="Docs.html" href="Docs.html">Docs</a></p>
</div>
</div>
</div>
<div style="height: 37px; width: 1px;  height: 37px; left: 545px; position: absolute; top: 80px; width: 0px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 0px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_10.png" alt="" style="height: 37px; left: 0px; position: absolute; top: 0px; width: 1px; "/>
</div>
</div>
<div id="id13" style="height: 27px; left: 634px; position: absolute; top: 224px; width: 102px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_102_27" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_12"><a class="class11" title="Docs-wolfssl-manual-8-debugging.html" href="Docs-wolfssl-manual-8-debugging.html">Next Chapter</a></p>
</div>
</div>
</div>
<div id="id14" style="height: 25px; left: 35px; position: absolute; top: 224px; width: 125px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_125_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_13"><a class="class12" title="Docs-wolfssl-manual-6-callbacks.html" href="Docs-wolfssl-manual-6-callbacks.html">Previous Chapter</a></p>
</div>
</div>
</div>
<div id="id15" style="height: 27px; left: 59px; position: absolute; top: 190px; width: 196px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_196_27" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_14"><a class="class13" title="https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf" href="https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf">Download wolfSSL Manual (PDF)</a></p>
</div>
</div>
</div>
<div style="height: 22px; width: 22px;  height: 22px; left: 33px; position: absolute; top: 191px; width: 22px; z-index: 1; " class="tinyText style_SkipStroke_2">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/PDF.png" alt="" style="border: none; height: 22px; width: 22px; "/>
</div>
<div id="id16" style="height: 25px; left: 323px; position: absolute; top: 224px; width: 125px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_125_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_15"><a title="Docs-wolfssl-manual-toc.html" href="Docs-wolfssl-manual-toc.html">Table of Contents</a></p>
</div>
</div>
</div>
<div style="height: 16px; width: 20px;  height: 16px; left: 706px; position: absolute; top: 51px; width: 20px; z-index: 1; " class="tinyText">
<div style="position: relative; width: 20px; ">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/shapeimage_11.png" alt="" style="height: 16px; left: 0px; position: absolute; top: 0px; width: 20px; "/>
</div>
</div>
<div style="height: 19px; width: 19px;  height: 19px; left: 707px; position: absolute; top: 25px; width: 19px; z-index: 1; " class="tinyText style_SkipStroke_2">
<img src="Docs-wolfssl-manual-7-keys-and-certificates_files/United%20Kingdom(Great%20Britain).png" alt="" style="border: none; height: 19px; width: 19px; "/>
</div>
<div id="id17" style="height: 23px; left: 328px; position: absolute; top: 48px; width: 258px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_258_23" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_16">Questions? +1 (425) 245-8247</p>
</div>
</div>
</div>
<div style="height: 19px; width: 19px;  height: 19px; left: 685px; position: absolute; top: 25px; width: 19px; z-index: 1; " class="tinyText style_SkipStroke_2">
<a href="http://www.wolfssl.jp/" title="http://www.wolfssl.jp"><img src="Docs-wolfssl-manual-7-keys-and-certificates_files/japan.png" alt="" style="border: none; height: 19px; width: 19px; "/></a>
</div>
<div id="id18" style="height: 28px; left: 593px; position: absolute; top: 44px; width: 119px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_119_28" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_17"><a class="class14" title="https://www.wolfssl.com/forums" href="https://www.wolfssl.com/forums">Support <span class="style_6">Forums</span></a></p>
</div>
</div>
</div>
<div style="height: 121px; width: 155px;  height: 121px; left: 32px; position: absolute; top: 5px; width: 155px; z-index: 1; " class="tinyText style_SkipStroke_2">
<a href="Home.html" title="Home.html"><img src="Docs-wolfssl-manual-7-keys-and-certificates_files/wolfssl_logo.png" alt="" style="border: none; height: 121px; width: 156px; "/></a>
</div>
<div style="height: 5884px; line-height: 5884px; " class="spacer"> </div>
</div>
<div style="height: 100px; margin-left: 0px; position: relative; width: 770px; z-index: 15; " id="footer_layer">
<div style="height: 0px; line-height: 0px; " class="bumper"> </div>
<div id="id19" style="height: 27px; left: 634px; position: absolute; top: 27px; width: 102px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_102_27" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_12"><a class="class15" title="Docs-wolfssl-manual-8-debugging.html" href="Docs-wolfssl-manual-8-debugging.html">Next Chapter</a></p>
</div>
</div>
</div>
<div id="id20" style="height: 25px; left: 35px; position: absolute; top: 27px; width: 125px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_125_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_18"><a class="class16" title="Docs-wolfssl-manual-6-callbacks.html" href="Docs-wolfssl-manual-6-callbacks.html">Previous Chapter</a></p>
</div>
</div>
</div>
<div id="id21" style="height: 25px; left: 323px; position: absolute; top: 27px; width: 125px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_125_25" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_15"><a class="class17" title="Docs-wolfssl-manual-toc.html" href="Docs-wolfssl-manual-toc.html">Table of Contents</a></p>
</div>
</div>
</div>
<div id="id22" style="height: 29px; left: 35px; position: absolute; top: 65px; width: 701px; z-index: 1; " class="style_SkipStroke shape-with-text">
<div class="text-content graphic_textbox_layout_style_default_External_701_29" style="padding: 0px; ">
<div class="graphic_textbox_layout_style_default">
<p style="padding-bottom: 0pt; padding-top: 0pt; " class="paragraph_style_19">Copyright 2017 wolfSSL Inc.  All rights reserved.</p>
</div>
</div>
</div>
</div>
</div>
</div>
 <script type="text/javascript">/* <![CDATA[ */(function(d,s,a,i,j,r,l,m,t){try{l=d.getElementsByTagName('a');t=d.createElement('textarea');for(i=0;l.length-i;i++){try{a=l[i].href;s=a.indexOf('/cdn-cgi/l/email-protection');m=a.length;if(a&&s>-1&&m>28){j=28+s;s='';if(j<m){r='0x'+a.substr(j,2)|0;for(j+=2;j<m&&a.charAt(j)!='X';j+=2)s+='%'+('0'+('0x'+a.substr(j,2)^r).toString(16)).slice(-2);j++;s=decodeURIComponent(s)+a.substr(j,m-j)}t.innerHTML=s.replace(/</g,'&lt;').replace(/>/g,'&gt;');l[i].href='mailto:'+t.value}}catch(e){}}}catch(e){}})(document);/* ]]> */</script></body>

<!-- Mirrored from www.wolfssl.com/wolfSSL/Docs-wolfssl-manual-7-keys-and-certificates.html by HTTrack Website Copier/3.x [XR&CO'2014], Tue, 17 Jan 2017 13:30:42 GMT -->
</html>
